This was touched upon by Natasha Holcroft-Emmess in her post for Rights Info. But Article 8 of the European Convention on Human Rights, the Conservatives favourite Convention Right says that:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Article 8 is usually a ‘please leave me alone’ right, where the State should do just that (negative obligations). Article 8 does not have an exhaustive definition (Bărbulescu v Romania, (para 70)), but it can encompass many aspects such as one’s physical and moral integrity, including of one’s sexual life (X and Y v Netherlands, (para 22)). It also encompasses one’s psychological integrity (Pretty v UK, (para 61).

Not only should States generally leave us alone, there are circumstances where they should intervene, this is called a positive obligation. The European Court of Human Rights(ECtHR) summarises this:

The Court recalls that although the object of Article 8 (art. 8) is essentially that of protecting the individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private or family life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (X and Y v Netherlands, (para 23)).

In X and Y, the ECtHR found a violation of Article 8 because there wasno lawin place that allowed complaints to be made on behalf sexually abused mentally (who do not have the capacity to complain themselves) handicapped people (para 28-30). Where essential aspects of private life are at stake, efficient criminal law is required (KU v Finland, (para 43)). Requiring criminal law does not require the seriousness of the occurrences in X and Ybecause upskirting is not trivial, it is criminal (KU v Finland, (para 45)). This is more important as the ECtHR recalls that:

[S]exual abuse is unquestionably an abhorrent type of wrongdoing, with debilitating effects on its victims. Children and other vulnerable individuals are entitled to State protection, in the form of effective deterrence, from such grave types of interference with essential aspects of their private lives (KU v Finland, (para 46)).

Given that upskirting has affected girls as young as 10, criminal sanction becomes more pressing. And so because Christopher Chope MP decided to be a supreme turd, he has put the UK at divergence with its obligations under the ECHR.

[P]rohibit a member State from treating groups differently in order to correct “factual inequalities” between them; indeed in certain circumstances a failure to attempt to correct inequality through different treatment may in itself give rise to a breach of the Article (Stec and Others v UK, (para 51)).

The factual inequality here is that upskirting primarily affects females. This is not to say that the Bill should only create an offence where only women can be the victims of said crime. I’m saying that the reality is that it is primarily women who are affected by this crime, and by doing nothing, primarily women will suffer. To ignore this inescapable fact is to remove the utility of Article 14.

Conclusions:

Simply put, the actions of Christopher Chope MP in denying criminalising upskirting is an affront to human rights. It’s a violation in terms of the violation of Article 8 rights of females, especially the young as the State’s protection of them is paramount. It’s a violation of Article 14 combined with Article 8 because it ignores the reality that females are the targets of this crime.

Ladies and gentlemen, Bagginses and Boffins. Tooks and Brandybucks. Grubbs! Chubbs! Hornblowers! Bolgers! Bracegirdles! Proudfoots. Put your butter away for I am about to respond, rebut, rebuke and more to a recent blog post for Judicial Power Project, by Anthony Speaight QC on data retention.

Next, Speaight recaps the data retention saga so far, in that telecommunications companies have always recorded who uses their services, when and where, often for billing purposes. A long time ago, in a galaxy far, far away (a few years ago, and anywhere with an internet connection) this position was a robust one. But the European Commission (Commission) in 2011 highlighted that:

So, it’s simply untrue to refer to just billing data when talking about data retention, because this isn’t the only data that is or has ever been sought.

It’s the Islamists fault why we have data retention:

Speaight next points out that it was the advent of Islamist international terrorism that made it advantageous to place data retention obligations on companies. Oh really? Are we going down this route? Well….. demands for data retention can be traced back to the ‘International Law Enforcement and Telecommunications Seminars’ (ILETS) (6) and in its 1999 report, it was realised that Directive 97/66/EC (the old ePrivacy Directive) which made retention of communications data possible only for billing purposes was a problem. The report sought to ‘consider options for improving the retention of data by Communication Service Providers.’ Improve? Ha. Notice how 1999 was before 9/11? Funny that.

It doesn’t stop there though. A year later (still before 9/11), the UK’s National Crime and Intelligence Service (NCIS) made a submission (on behalf of the Mi5/6, GCHQ etc) to the Home Office on data retention laws. They ironically argued that a targeted approach would be a greater infringement on personal privacy (para 3.1.5). Of course, they didn’t say how or why this was the case, because, reasons. Charles Clarke, the then junior Home Office Minister, and Patricia Hewitt, an ‘E-Minister’ both made the claim such proposals would never happen (Judith Rauhofer, ‘Just Because You’re Paranoid, Doesn’t Mean They’re Not After You: Legislative Developments in Relation to the Retention of Communications Data’ (2006) SCRIPTed 3, 228; Patricia Hewitt and Charles Clarke, Joint letter to Independent on Sunday, 28 Jan 2000) and should not be implemented (Trade and Industry Committee, UK Online Reviewed:the First Annual Report of the E-Minister and E-Envoy Report (HC 66 1999-2000), Q93).

Guess what? A year later Part 11 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA 2001) came into force three months after 9/11 (Judith Rauhofer, 331). The Earl of Northesk, however, pointed out that ‘there is no evidence whatever that a lack of data retained has proved an impediment to the investigation of the atrocities’ on 9/11 (HL Deb 4 Dec vol 629 col. 808-9). What this demonstrates is that data retention was always on the cards, even when its utility wasn’t proven, where the then Prime Minister Tony Blair, noted that ‘all the surveillance in the world’ could not have prevented the 7/7 bombings. It’s just that as Roger Clarke succinctly puts it:

“[M]ost critical driver of change, however, has been the dominance of national security extremism since the 2001 terrorist attacks in the USA, and the preparedness of parliaments in many countries to grant law enforcement agencies any request that they can somehow link to the idea of counter-terrorism.” (Roger Clarke, ‘Data retention as mass surveillance: the need for an evaluative framework’ (2015) International Data Privacy Law 5:2 121, 122).

What about its true purpose? You know, spying on every EU citizen? Well the European Data Protection Supervisor (EDPS) responded to the Commission’s evaluation of the DRD. WARNING: EDPS pulls no punches. First, the EDPS reiterated that the DRD was based upon the assumption of necessity (para 38). Secondly, the EDPS criticised the Commission’s assertion that most Member States considered data retention a necessary tool when conclusions were based on just over a third (that’s less than half, right?) of them (para 40). Thirdly, these conclusions were in fact, only statements (para 41). Fourthly, the EDPS highlighted there should be sufficient quantitative and qualitative information to assess whether the DRD is actually working and whether less privacy intrusive measures could achieve the same result, information should show the relationship between use and result (43).

Surprise, surprise, the EDPS didn’t find sufficient evidence to demonstrate the necessity of the DRD and that further investigations into alternatives should commence (para 44). Fifthly, the EDPS pretty much savaged the quantitative and qualitative information available (para 45-52). A few years later, the CJEU asked for proof of the necessity of the DRD. There was a lack of statistical evidence from EU Member States, the Commission, the Council and European Parliament, and despite that, they had the cheek to ask the CJEU to reject the complaints made by Digital Rights Ireland and others anyway (ibid). Only the Austrian government were able to provide statistical evidence on the use (not retention) of communications data which didn’t involve any cases of terrorism (ibid). The UK’s representatives admitted (come again? The UK admits something?) there was no ‘scientific data’ to underpin the need of data retention (ibid), so the question begs, wtaf had the DRD been based upon? Was it the assumption of necessity the EDPS referred to? Draw your own conclusions. The moral of the story is that the DRD did not operate smoothly.

I felt a great disturbance in the Law, as if thousands of spies, police, other public authorities, politicians and lawyers suddenly cried out in terror, as the State were suddenly unable to spy anymore. I fear something terrible has happened.

So, who was surprised? Was it the European Parliament who had initially opposed this form of data retention as they urged its use must be entirely exceptional, based on specific comprehensible law, authorised by judicial or other competent authorities for individual cases and be consistent with the European Convention on Human Rights (ECHR)? Was it a surprise to them when they also noted that that ‘a general data retention principle must be forbidden’ and that ‘any general obligation concerning data retention’ is contrary to the proportionality principle’ (Abu Bakar Munir and Siti Hajar Mohd Yasin, ‘Retention of communications data: A bumpy road ahead’ (2004) The John Marshall Journal of Computer & Information Law 22:4 731, 734; Clive Walker and Yaman Akdeniz, ‘Anti-Terrorism Laws and Data Retention: War is over?’ (2003) Northern Ireland Legal Quarterly 54:2 159, 167)?

Was it a surprise to the WP29, the European Data Protection Commissioners, the International Chamber of Commerce (ICC), European Internet Services Providers Association (EuroISPA), the US Internet Service Provider Association (USISPA), the All Party Internet Group (APIG) (Abu Bakar Munir and Siti Hajar Mohd Yasin, 746-749) and those at the G8 Tokyo Conference? Hell, even our own assistant Information Commissioner, Jonathan Bamford, back in 2001 wouldn’t be surprised because he said ‘Part 11 isn’t necessary, and if it is necessary it should be made clear why’ (HL Deb 27 Nov 2001 vol 629 cc183-290, 252). Was it a surprise when prior to Digital Rights Ireland:

The point I’m trying to hammer home is that (you’ve guessed it), the CJEU’s ruling in Digital Rights Ireland should come as no surprise. Still on the issue of surprise, for Speaight it was because it departed from decisions of the European Court of Human Rights (ECtHR) and the CJEU itself. Ok, let’s look at these ECtHR cases Speaight refers to. The first is Weber and Saravia v Germany, a case on ‘strategic monitoring.’ This is a whole different kettle of fish when compared to the DRD as this concerned the surveillance of 10% (I’m not saying this is cool either btw) [30, 110] of German telecommunications, not the surveillance of ‘practically the entire European population’ [56]. Ok, that may have been an exaggeration by the CJEU as there are only 28 (we’re not so sure about one though) EU Member States, but the point is, the powers in question are not comparable. The DRD was confined to serious crime, without even defining it [61]. Whereas German law in Weber concerned six defined purposes for strategic monitoring, [27] and could only be triggered through catch words [32]. In Digital Rights Ireland, authorisation for access to communications data in the DRD was not dependent upon ‘prior review carried out by a court or by an independent administrative body’ [62] where in Weber this was the case [21, 25]. Apples and oranges.

The second ECtHR case was Kennedy v UK, and it’s funny that this case is brought up. The ECtHR in this case referred to a previous case, Liberty v UK in which the virtually unfettered power of capturing external communications [64] violated Article 8 of the ECHR [70]. The ECtHR in Kennedy referred to this as an indiscriminate power [160, 162] (bit like data retention huh?), and the UK only succeeded in Kennedy because the ECtHR were acting upon the assumption that interception warrants only related to one person [160, 162]. Of course, the ECtHR didn’t know that ‘person’ for the purposes of RIPA 2000 meant ‘any organisation and any association or combination of persons,’ so you know, not one person literally.

And this was, of course, prior to Edward Snowden’s bombshell of surveillance revelations, which triggered further proceedings by Big Brother Watch. A couple of years ago, in Roman Zakharov v Russia, the ECtHR’s Grand Chamber (GC) ruled that surveillance measures that are ‘ordered haphazardly, irregularly or without due and proper consideration’ [267] violates Article 8 [305]. That is because the automatic storage of clearly irrelevant data would contravene Article 8 [255]. This coincides with Advocate General (AG) Saugmandsgaard Øe’s opinion that the ‘disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime’ [252]. That’s a lot of irrelevant data if you ask me. Judge Pinto de Albuquerque, in his concurring opinion in Szabo and Vissy v Hungary regards Zakharov as a rebuke of the ‘widespread, non-(reasonable) suspicion-based, “strategic surveillance” for the purposes of national security’ [35]. So, I’d say that even Weber v Saravia is put into doubt. And so, even if the CJEU rules that data retention in the national security context is outside its competence, there is enough ECtHR case law to bite the UK on its arse.

The CJEU case law that Speaight refers to is Ireland v Parliament and Council which was a challenge to the DRD’s legal basis, not whether it was compatible with the Charter of Fundamental Rights, so I’m not entirely sure what Speaight is trying to get at. All in all, Speaight hasn’t shown anything to demonstrate that Digital Rights Ireland has departed from ECtHR or CJEU case law.

You forgot to say the UK extended data retention laws:

Speaight then rightly acknowledges how the UK government replaced UK law implementing the DRD with the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014) in lightspeed fashion. What Speaight omits, however, is that DRIPA 2014 extended retention obligations from telephone companies and Internet Service Providers (ISPs) to Over-The-Top (OTT) services such as Skype, Twitter, Google, Facebook etc. James Brokenshire MP attested that DRIPA 2014 was introduced to clarify what was always covered by the definition of telecommunications services (HC Deb 14 July, vol 584, 786). This, of course, was total bullshit (5), but like I said, politicians goin’ politicate.

Claimants don’t ask questions, courts do:

Speaight moves onto the challenges to DRIPA 2014, we know the story already, the High Court (HC) said it was inconsistent with Digital Rights Ireland, whereas the CoA disagreed, blah, blah. Speaight points out that the claimants had no issue with data retention in principle, which is true, but so what? Speaight also points out that the CJEU went further than what the claimants asked by ruling that blanket indiscriminate data retention was not permissible under EU law. Wait, what the fark? It’s not the bloody claimants’ that ask the CJEU a question on the interpretation of EU law as I’m pretty sure it was the Swedish referring court (via Article 267 of the Treaty on the Functioning of the EU, you know, a preliminary reference) that asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC, 1 taking account of Articles 7, 8 and 15(1) of the Charter?

And the CJEU said no. End of discussion.

The ends don’t always justify the means and for clarity, the CJEU didn’t reject shit:

Speaight also says that the CJEU in Tele2 and Watson rejected AG Saugmandsgaard Øe’s advice that the French governments found access to communications data useful in its investigations into terrorist attacks in 2015. Such a position however, falls victim to several questions, such as under what circumstances was the data sought? Was it accessed as a consequence of the legal obligation to retain? Or was it already retained for business purposes? What were the results of the use of that data? Could the same results have been achieved using less intrusive means? Saying it is useful tells us nothing as the ECtHR has plainly said necessity (in a democratic society) is not as flexible as expressions such as ‘useful’ [48], and as the CJEU rightly noted, a measure in and of itself, even in the general interest cannot justify general indiscriminate data retention [103]. This demonstrates that the CJEU didn’t reject anything, they didn’t even refer to the French government’s evidence, they just said as fundamental as fighting serious crime may be, and the measures employed, cannot by themselves justify such a fundamental departure from the protection of human rights. Just because you can, doesn’t mean you should. A certain ECtHR said something similar in Klass v Germany in that States ‘may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate’ [49].

The CJEU doesn’t have to answer what it wasn’t asked:

Speaight then whines about the CJEU not addressing the issue of national security, well they weren’t asked about national security in Tele2 and Watson, were they? Like I said, even if the CJEU doesn’t have competence to rule on national security based data retention, Roman Zakharov is watching you from Strasbourg (he’s not actually in Strasbourg, I don’t think, but you dig).

What’s your problem with notification?

Speaight also bemoans the obligation to notify saying this requirement could damage investigations and surveillance and went beyond what the claimants had asked. Well, again, the claimants weren’t asking the questions, ffs, and the CJEU made this point by referring to previous case law, notably, Schrems [95]. The CJEU made very clear that notification should be done ‘as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities’ [121]. This is consistent with the ECtHR’s stance. Both courts are aware that notification can defeat the purpose of the investigation, and sometimes even after it has concluded, notification may still not be appropriate. But Speaight seems to omit this crucial detail.

Lawyers getting mad:

Speaight notes that criticism of Tele2 is not confined to Eurosceptics. Sure, but you don’t have to be a Europhile to defend it either. He also noted that it was roundly condemned by all the participants at a meeting of the Society of Conservative Lawyers. Well, no shit to my Sherlock, the name kinda gave it away. He also notes that the former Independent Reviewer of Terror law, David Anderson QC, said it was the worst judgment he knew of. Wait til Anderson reads the ECtHR’s case law on this matter then, which if anything, on proper reading goes further than Tele2. Speaight also points out that Demonic Grieve QC MP was pissed and that a well distinguished member of the French Bar, Francois-Henri Briard basically saying we need more conservative judges to trample on fundamental rights. If a judgment that protects the fundamental rights of all EU citizens pisses off a few lawyers, so be it.

Conclusions:

I’ve spent way too much time on Speaight’s post, and the really sad thing is, I’ve enjoyed it. It’s hard to have a conversation about data retention when you first have to sift through a load of bollocks, and there was plenty of bollocks, just to make your point. And by the time you’ve cleared through all the falsities and misleading or exaggerated points, you run close to 4k words without actually saying what your position is. So, my position for this blog post is, we should always shoot down rubbish when it shows its ugly face or else it festers. Actually, the point is, I can believe that blanket indiscriminate data retention is unlawful.

It takes a lot to get academics up in arms. It takes even more to bring them into even a semblance of unity – we spend most of our working life arguing with each other, and trying our best to demonstrate that our arguments are different from those of our peers. ‘Originality’ we call it. The result of this is that organising academics is a bit like herding cats.

There are, however, a few things that can bring about both action and some degree of unity. Academic freedom is one – the threat of political interference with our work, as in the brief appointment of Toby Young to the Office for Students, and what is likely to lie ahead in that government continuing plan to corral the universities into obedience. Another is our pensions – the reason for the current strike.

Why do we care about our pensions so much? There are a couple of connected reasons for that – as far as I can see, and of course I only really speak for myself. For one thing, we really don’t want to be spending our working lives designing a career based upon how we can generate the highest income. It would be pointless, for most at least, as salaries across academia except at the highest levels and in some very specific fields, do not really vary that much. More importantly, because of the nature of our work, we want to choose our careers based on the people we can work with, the courses we are expected to teach, the calibre of the students, and so forth. These are academic considerations, not financial ones, and there is not necessarily a correlation between them. The most interesting jobs may well not be the best paid – and in academia, the work being interesting is the most important point.

The second reason is that in academia we are actually not that well paid – when our abilities, qualifications and potential are considered. Most of us could – and some of us used to – earn much more outside academia. In my case, I earned more in real terms as a 26 year old accountant than I do as a 53 year old academic. I am far from alone. And it is not just in a few fields like law and business studies that academics could earn more outside the Ivory Towers. Scientists are in demand in industry. Linguists in a wide range of areas. Communications and media scholars in the media itself, in politics and indeed in business. Mathematics is critical to IT. Historians and others in the humanities, as well as scholars of English have huge amounts to offer many businesses. Indeed, scholars who specialise in periods such as 17th century France or 15th century Eastern Europe could have taught the Internet giants a lot about the nature of the current ‘fake news’ phenomenon. What’s more, we’re all now expected to produce ‘impact’ (an effect on the outside world) and ‘engagement’ (involvement with the outside world): it’s very hard to get promoted or a new job without it. The idea that academics are a bunch of badly-dressed eggheads who don’t understand the real world at all is very, very far from the truth.

What we actually do is *choose* to work in academia, though the rewards are lower than what we could earn elsewhere? Why? Partly for the intellectual challenge and the academic freedom. Partly because at its best it is an immensely satisfying job. Partly, though, because the package of rewards we get – including a decent salary and a decent, reliable pension – matches the commitment that we put in. Few of us can generate enough income outside our academic work to provide a supplementary pension – and few inherited enough wealth to make that irrelevant. All careers have some kind of a bargain involved – that has been the academic one, and it has worked.

That’s one of the critical points here: our universities have worked very well. We have far more world class universities than other nations of a comparable size. If there are attacks on the ‘value for money’ offered to students that is primarily a reflection of the ridiculous and artificial fee rate chosen by our recent governments’ twisting of the financing of higher education than of the way our courses are taught. You can argue how it should be done – funding it centrally from government, making universities generate their own income or look for rich donors or generous alumni – but what should be clear is that the current fee level is artificial, so any ‘value for money’ calculations based upon it are equally artificial. Moreover, none of those made publicly take the other values of the universities into account. Their role in society. The use of research. In the days of ‘fake news’, the need for institutions with the skills and resources to examine what is actually happening is particularly important. We need the universities more in the current climate than we have ever done.

That makes the current pension plan even more pernicious. To make it clear, the plan for universities’ pensions is to make a monumental shift – effectively from ‘defined benefits’ (where retirees know what they will receive) to ‘defined contributions’ (where what you receive depends on the stock market) – that will in all probability make most academics far worse off in retirement. This monumental decision is being made at a time of massive uncertainty, on the basis of very contentious calculations using a huge number of assumptions, the centrepiece of which is a snapshot of the market value of the scheme’s assets, again at a time of massive uncertainty. I would not call myself an expert, but I have a degree in mathematics from Cambridge and I used to be a Chartered Accountant – and as an auditor I specialised in financial services, including pension schemes. What I do know is that making such decisions in such circumstances is what Sir Humphrey would have called ‘bold’. To do so to the massive detriment of the academics and support staff in the scheme is truly awful (for a good analysis of the problems with the analysis, see here), and smacks of taking advantage of the situation by the Vice Chancellors and others who are behind this move.

So this is why we are on strike. To protect something hugely valuable. To stop an awful decision with massive ramifications being made at a wholly inappropriate time. In the end, to help the students of the future – because with this change, many good academics will leave, taking their transferrable skills to places where they are more appreciated, whether that be academia abroad (where many of the best would be welcomed) or outside academia entirely. It is for our own future, of course – but it is for more than that. And though we, like all people, are selfish and self-centred a lot of the time, there really is more to this than selfishness. I hope those outside academia can appreciate this. Indeed, I hope the Vice Chancellors appreciate this – and at the very least come back to the negotiating table without preconditions. The nature of the pension scheme has to be on the table – it’s the whole point. If that is not understood, it suggests the Vice Chancellors have very little understanding of the institutions they are supposed to be in charge of.

The unedifying ‘scuffle’ at Jacob Rees-Mogg’s appearance at the University of the West of England has provoked a great deal of reaction – some of it distinctly over-the-top. Precisely what happened, who started the fight and why, remains a little unclear – and is not the topic of this post. It is Theresa May’s reaction, to suggest a new law to protect MPs against intimidation, that is more interesting for those of us who are interested in freedom of speech – not only in its practice but its purpose.

The need for a new law is at best contentious – there is already plenty of law to deal with threats and intimidation, public order law, law to protect against harassment and much more – and it is entirely possible that nothing will materialise from Theresa May’s pronouncement other than a few headlines in the Daily Mail. The reasons behind the desire for the law, however, reveal a lot about Theresa May and those who share her views. Effectively, though she and they would be very unlikely to use the words, they’re looking for a ‘safe space’ for MPs. This, coming from the same people who have been actively campaigning against ‘safe spaces’ in universities for others, has more than a whiff of hypocrisy about it. It is, however, remarkably familiar. Many – perhaps most – of those who claim to be great champions of free speech are often very keen on protecting the free speech of people like them, or of people who share their views, but far less keen on providing the same protection for those they disagree with.

Safe Spaces can be a good thing

What the supporters of a law to protect MPs from intimidation might understand, if they thought a little further, is that safe spaces can be a good thing. If we want a civilised debate, if we want people not to be intimidated into silence, if we want to encourage those whose voices are rarely heard, then a supportive – or at the very least not threatening – environment really helps. Theresa May understands that for MPs – because she understands MPs, and supports them in that role. That much is easy – making the leap to understand that others need that protection and that safety too seems to be much harder.

Safe Spaces can be a bad thing

On the other hand, if the creation of a ‘safe space’ is to stop particular voices being challenged, it is not so clearly a good thing – and that may well be what happens at times. For debate to function, challenging needs to be possible – banning hecklers and protestors is not always a good thing. Drawing a line is not always easy – as the UWE fracas showed. The initial protest, and indeed Jacob Rees-Mogg’s first response to it, seemed relatively civilised and harmless. Protest is a critical part of freedom of speech – the vehemence with which authoritarian regimes deal with it should at least give pause for thought. The idea that Donald Trump might only visit the UK if Theresa May stops protests is not something we should accept, for example.

Safe Spaces for whom?

What should give us even more pause for thought is who we need to provide safe spaces for, and why – and this is where the idea that we should legislate for safe spaces for MPs whilst actively working against safe spaces for others feels particularly wrong. MPs already have plenty of ‘safe spaces’ to air their views. Parliament itself, for one. The studios of all the TV and radio broadcasters. Columns in major newspapers and magazines. Others – particularly vulnerable or marginalised people and groups – have almost no access to these. They have neither freedom of speech in practice nor safe spaces in which to hear others. They don’t have powerful friends and allies to open doors, provide platforms – or bring in legislation.

That is the thing about rights – and human rights in particular. The main need for those rights is for the relatively weak, to protect them from the relatively strong. People with strength and power already have many means to protect themselves – in free speech terms, they have many ways to express themselves and a ready audience to listen. For others none of that is true – and that is what we need to remember.

Free speech is not simple – it is messy and complicated, nuanced and difficult to find our way through. That complication needs to be taken on board – because free speech is also really important. We should be particularly wary of those proclaiming themselves champions of free speech – what they are championing is often at best an oversimplification, and often a complete distortion. In Theresa May’s case, it may be even worse. The kind of law envisaged would not support free speech – it would support the powerful against the weak. It should be thoroughly resisted.

On 21 September 2017, the Guardian published an article warning that from January 2018, UK banks and building societies are to carry out immigration checks on 70 million current accounts. 70 million?

The article continues that this measure is expected to identify 6000 visa overstayers, failed asylum seekers and foreign national offenders facing deportation. Accounts that are identified will be closed down or frozen, to make it difficult to maintain a settled life in the UK. This is said to act as a powerful incentive for an agreement on voluntary departure so money can be secured once they’ve left the country. Hang on, if accounts can be closed or frozen, how are home returners supposed to pay for leaving the UK if they can only access their money after they have left?

“The government’s own record shows it cannot be trusted even to implement this system properly. Immigration status is very complex, and the Home Office consistently gives out incorrect information and guidance…Migrants and ethnic minorities with every right to be here will be affected by the imposition of these new checks.”

This began with the then Home Secretary (now Prime Minister) Theresa May in an interview with the Telegraph where said:

“The aim is to create here in Britain a really hostile environment for illegal migration… What we don’t want is a situation where people think that they can come here and overstay because they’re able to access everything they need.”

“[P]ackage of measures designed to make life so difficult for individuals without permission to remain that they will not seek to enter the UK to begin with or if already present will leave voluntarily.”

This includes ‘measures to limit access to work, housing, health care, bank accounts and to reduce and restrict rights of appeal against Home Office decisions’ (ibid). The defining feature is the reliance on indirect means to encourage compliance with and punish breaches of immigration control (ibid) effectively turning the UK into a nation of border cops.

So, what is the legal basis for latest in the Hostile Environment Saga?

As Yeo highlights, the legal basis for this new measure appears to come from Schedule 7 of the Immigration Act 2014 (IA 2014) which inserts s.40A into the IA 2014. Section 40(A)(1) requires banks and building societies to carry out immigration checks (specified by regulations) into each current account which is not an excluded account. Excluded accounts consists of accounts used for purposes of trade, business or profession, which can be found in Regulation 2 of the IA 2014 (Current Accounts) (Excluded Accounts and Notification Requirements) Regulations 2017. Section 40B concerns the bank or building societies duty to notify the existence of current accounts for disqualified persons. A disqualified person is spelt out in s.40(A)(3) of the IA 2014, is a person who is in the UK, does not have leave to remain and for the Secretary of State to consider the account to be frozen (see s.40D and E of the IA 2014 respectively).

The Regulation responsible for the immigration checks made under s.40(A)(1) of the IA 2014 can be found in the Immigration Act 2014 (Current Accounts) (Compliance &c) Regulations 2016. Regulation 2 notes that immigration checks must be carried out during each successive quarter of each year. Four times a year, every year! So, these ridiculous powers appear to have a sound legal basis, I guess that is the end of that chapter, right? Yeah, I didn’t think so.

Give me a E, give me a C, give me a H, give me a R:

That pesky human rights document that the UK helped draft all them years ago just won’t stop being a pain in its ass. Yes, I am referring to the European Convention on Human Rights (ECHR). Why is this relevant? Because as Yeo correctly notes the hostile environment measures have great potential of intruding into people’s private lives. And what does Article 8 of the ECHR protect? Private life. For those who are unfamiliar with probably the most elusive (Luke Clements, Nuala Mole, and Alan Simmons, EUROPEAN HUMAN RIGHTS: TAKING A CASE UNDER THE CONVENTION p. 176 (2d ed. 1999)) Convention Right, it states that:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

In a nutshell, this Article says that the State should leave us the hell alone in the enjoyment of these rights (negative obligations). This is not absolute, and there are certain circumstances in which the State can intervene (as detailed in Article 8(2)), there may even be instances where the State has failed to intervene and thus failed to protect Article 8 rights based on positive obligations (X and Y v Netherlands, (para 23)).

For this blog, only the aspect of private life will be considered. For Article 8 to be applicable, it first has to be engaged/triggered/interfered with, and because private life is not susceptible to exhaustive definition (Bărbulescu v Romania, (para 70)), this is easy-peasy to establish. Immigration checks requires the processing of personal data which is detailed in many data protection instruments, and as such involves an interference with private life (Amann v Switzerland, (paras 65-7)). The mere fact that personal data is even stored interferes with Article 8 whatever the subsequent use of said data (S and Marper, (para 67)). This is due to the protection of personal data being of fundamental importance to the enjoyment of private life (ibid, (para 103)). There are various other ways in which Article 8 could be engaged, whether it is based on removal (which would also interfere with ‘family life’ (Al-Nashif v Bulgaria, (para 102-103)) and ‘home’ (Slivenko and others v Latvia, (para 96)), or disrupting professional activities (Niemietz v Germany, (para 29) etc. Once interference has been established, this must be ‘in accordance with the law’ and ‘necessary in a democratic society.’

In Accordance with the Law:

Here comes some legal Kung Fu. The first legal test of whether a measure complies with human rights is to determine whether the law is ‘in accordance with the law.’ Essentially whether the law itself is lawful. The European Court of Human Rights (ECtHR) have ruled extensively on the matter and has set out some clear requirements. The law has to have some basis in domestic law (M.M. v UK, (para 193)), and has to have quality e.g. be accessible and foreseeable (S and Marper, (para 95).

This first requirement of having some basis in domestic law is satisfied due to the power to compel banks and building societies comes from an Act of Parliament which enables Regulations to be created to that effect. The law will probably also satisfy accessibility because its published online (Leander v Sweden, paras 52-3). Now, foreseeability is a little trickier, a law is foreseeable if it is formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate their conduct (Amann v Switzerland, (para 56). This ensures there are adequate indication of the conditions and circumstances in which the authorities are empowered to resort to any such measures (Uzun v Germany, (para 61). After all:

[I]t would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference…(Szabo and Vissy v Hungary, (paras 230-1).

Forgive the dense legal jargon, but correct me if I’m wrong, the power to compel banks and building societies to conduct immigration checks applies to all current accounts, yeah? In addition to this, these checks occur four times a year every year. So, first of all, where is the adequate indication that the state will resort to these measures if they affect every current account? Yeah, there isn’t any because they affect every current account. What are the circumstances for when an immigration check may occur (like for example, when there is reason to suspect (Roman Zakharov, (para 260) this current account belongs to someone who has outstayed their visa)? That’s right, the law says nothing on this. So, if this affects 70 million accounts and the Home Office is looking to catch 6000 (where did this figure even come from btw?) people, then 69994000 (assuming there are no multiple current accounts by overstayers) current accounts have just been screened for no reason at all. This is a textbook example of arbitrary interference due to the unfettered power this law provides. So, in a nutshell, this law is not foreseeable because it does not indicate when and in what circumstances a current account may be screened, it affects all current accounts, arbitrarily interferes with Article 8 rights, and grants unfettered powers. Therefore, (you guessed it) the power to compel immigration checks on current accounts is not in accordance with the law, and thus violates Article 8. Did I miss anything? Oh yes, the next human rights test.

Necessary in a Democratic Society:

Finding that s.40(A)(1) of the IA 2014 is not in accordance with the law usually means it is no longer necessary to consider whether such measures are ‘necessary in a democratic society’ (M.M., (para 207); Amann, (para 63)). I could have finished this blog post in the previous paragraph, but where is the fun in that (Kurić and others v Slovenia, (para 350))?

For a measure to be ‘necessary in a democratic society’ interfering with said rights must correspond to ‘pressing social need,’ whether it was ‘proportionate to the legitimate aim pursued,’ and ‘whether the reasons given by the national authorities to justify it are relevant and sufficient’ (S and Marper, (para 101)).

Pressing social need:

Are these blanket checks necessary? After all, ‘necessary’ is not synonymous with ‘indispensable’ but that doesn’t mean it’s as flexible as ‘desirable,’ ‘reasonable’ or ‘useful’ either (Handyside v United Kingdom, (para 48)). Therefore, relying on its utility (proven or unproven) is not enough and the state requires a greater justification (Pullen & Ors -v- Dublin City Council, (para 12(c)). The Joint Committee on Human Rights (JCHR) have pointed out that ‘[t]here must be a sufficient factual basis for believing that there was a real danger to the interest which the State claims there was a pressing social need to protect’ (Joint Committee on Human Rights, First Report (HL 42/HC 296, 23 April 2001), Annex 2).

So, are these measures necessary? Let’s consider the justifications for them from the impact assessment. The Government argue that they want to catch irregular migrants who created current accounts before it was lawful to run immigration checks when they were first set up or those who created current accounts lawfully but subsequently became irregular (so you know, all migrants are kinda suspects now). The next sentence is very suspect, the Government said they want banks and building societies to check the accounts of known irregular migrants which is a tad different from requiring them to check every current account, four times a year, just in case. The impact assessment later acknowledges the process of immigration checks is to check every current account for matches (ibid, para 20), so essentially a panoptic sort (Oscar H. Gandy Jr, The Panoptic Sort: A Political Economy Of Personal Information (Critical Studies in Communication and in the Cultural Industries) 1993 Westview Press). The impact assessment does not consider the impact on human rights, particularly Article 8 for example (SO HOW DO THEY KNOW IT IS COMPLIANT? OH WAIT…), the fact that bank details are processed for another purpose unconnected to its original purpose of processing (purpose limitation). The impact assessment does not entertain the possibility of only checking current accounts where there are reasonable and objective grounds to believe it belongs to an irregular migrant. Furthermore, the impact assessment acknowledges that after the first year, only about 900 matches will be made (ibid, para 20) even though 70 million current accounts will be checked four times a year. In essence the immigration checks are done ‘haphazardly, irregularly or without due and proper consideration’ (Roman Zakharov, (para 257)). There might be a pressing social need to remove over stayers by checking current accounts that are linked to them, but there can be no pressing social need that subjects every current account to the whims of a Government hell bent cementing its hostile environment. And on a deeper level, what has the right to live in the UK have to do with having a current account? This link is never established and so weakens the justifications for this measure further. Not establishing a pressing social need for such wide-reaching powers would too violate the ECHR (Faber v Hungary, (para 59)).

Relevant and sufficient:

This mainly concerns the effectiveness of the measure which relies upon factual, statistical, or empirical information as to the effectiveness of a certain measure (Janneke Gerards, ‘How to improve the necessity test of the European Court of Human Rights’ (2013) I•CON 11:2 466, p473). The effectiveness of the impact assessment is based purely on guesstimation as the impact assessment admits (impact assessment, para 24). The Home Office and HM Treasury would conduct an informal review 12 months after implementation to ensure effectiveness (impact assessment, para 24). Not only is there no evidence to back up any assertions i.e. pilot studies etc, the Governmental department for controlling immigration will assess its own effectiveness (that’s some independence right there), which is not even guaranteed because this is not mandated by the IA 2014, but there is no explanation of what ‘informal review’ means. Sounds a bit cloak and dagger substituting intrigue with concern. A measure is not sufficient just because its subject-matter fell within a particular category or was caught by a legal rule formulated in general or absolute terms (Sunday Times v UK, (para 65)). Not only is there no evidence to justify this measure, the screening subjects all current accounts to a rule formulated in general terms i.e. by virtue of having a current account, your immigration status will be checked. Even if the justifications were relevant, this does not mean they are sufficient, and a lack sufficient reasons too would violate the ECHR (ibid, (paras 63 and 67)).

Proportionality:

This test comes in many flavours (Thomas Hickman, ‘Proportionality: Comparative Law Lessons’ (2007) 12 Jud. Rev. 31.) but two aspects from the ECHR perspective will be considered for this blog post. The two aspects are whether the measure was the least restrictive to obtain the objective, and whether a fair balance has been struck.

The least restrictive measure (LRM) is exactly what it is, don’t use a sledgehammer to crack a nut, we have nutcrackers for that (Eva Brems and Laurens Lavrysen ‘‘Don’t Use a Sledgehammer to Crack a Nut’: Less Restrictive Means in the Case Law of the European Court of Human Rights’ (2015) HRLR 15 139-168, p140). By virtue of checking all current accounts (which leads to net loss, p11) instead of checking accounts where there is reason to believe it is linked with an irregular migrant, a sledgehammer has indeed been used.

With regards to striking the fair balance, the ECtHR has never been a fan of indiscriminate powers (S and Marper, (para 125); Kennedy v UK, (para 160)) because it fails to strike a fair balance. So, checking all current accounts is an indiscriminate power, and too would violate the ECHR (S and Marper, (para 126)). The disproportionality intensifies because the interference caused by immigration checks are indefinite in that it occurs four times a year every year until, well, the Government feels like it and the fact that the number likely to be caught are miniscule in comparison to the amount of current accounts checked.

Oh, but we’re checking immigration status regardless of nationality:

This is what a Barclays spokesperson said to the Guardian regarding the new law. I am not suggesting nationality should be the basis for the exercise of power, but as I’ve pointed out above, indiscriminate powers such as these are not compatible with the ECHR. There is another reason why this is not compatible with the ECHR, and that is because of Article 14, which is the anti-discrimination right. Its only applicable when a Convention Right is engaged, in this case, Article 8, and this is where Barclays’s stance (through no fault of their own of course as they are complying with the law) becomes problematic. Indiscriminate powers triggers what is known as Thlimmenos discrimination in that:

[T]he right not to be discriminated against in the enjoyment of the rights guaranteed under the Convention is also violated when States without an objective and reasonable justification fail to treat differently persons whose situations are significantly different (Thlimmenos v Greece, (para 44)).

And so, the position is this, ‘If there is no reason to suspect I am an irregular migrant, why are you running an immigration check on me?’ ‘Where is your objective reasonable justification for singling me out?’ ‘You want to catch 6000 people in your first year, and 900 every year there in after, if I’m not on your list why again are you running an immigration check and furthermore, once I’ve been ruled out, why are you still checking my immigration status four times a year every year?’ ‘You know why you can’t answer these questions? Because you don’t have an answer.’ ‘Do you know what this means? You’ve violated Article 8 in conjunction with Article 14’ (ibid, (para 55)).

Conclusions:

Natalie Bloomer and Samir Jeraj point out that Prime Minister May’s obsession with immigration has turned Britain into a surveillance state. Sadly, we have been a surveillance state for some time before the hostile environment even took form. We are going through a phase where hard won fundamental rights are slowly being nibbled away, each and every measure may seem mundane at the time it was enacted, but this has only emboldened the state to ever-more take the next logical step in cementing hold as a surveillance state whether it be through the hostile environment or electronic mass surveillance. Liberty dies by inches (Verena Zöller, ‘Liberty Dies by Inches: German Counter-Terrorism Measures and Human Rights’ (2004) German Law Journal 5:5 469) and becomes under severe threats from populist movements. This post didn’t really consider the data protection implications of this measure, but the Information Commissioner has linked Article 8 to unlawful processing, so there’s that. What this post has sought to do, is highlight at every legal hurdle, the powers that mandate immigration checks on current accounts, fails.

The story of Google’s AI subsidiary DeepMind took a not-unexpected turn this week when the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to DeepMind. This is the latest step in a saga that looks set to rumble on for some time – and one from which there are many, many lessons to be learned. One of those – sadly one that does not seem likely to be heeded as much as it should be – is that those involved in projects like this should pay more attention to those who can loosely be described as ‘privacy geeks’.

Two in particular have been critically involved in this process – Hal Hodson (@halhod) and Julia Powles (@juliapowles). Hal started the ball rolling with a serious piece of investigative journalism in New Scientist in April 2016, which brought the issue to light, and as well as further journalistic work Hal and Julia wrote a piece of ‘proper’ academic work – ‘Google DeepMind and healthcare in an age of algorithms’ in the journal Healthcare and Technology. This led, ultimately, to the ICO’s investigation and ruling – though it has to be noted that the ICO’s ruling is on DeepMind’s trial with the Royal Free: the real test will be when DeepMind’s work rolls out. The ICO has asked the Royal Free, amongst other things, to do a full ‘privacy impact assessment’ prior to further work. That they did not do so prior to the previous trial is one of the serious shortcomings of the project. As Julia Powles put it in the Guardian yesterday:

“The ruling states that by transferring this data and using it for app testing, the Royal Free breached four data protection principles, as well as patient confidentiality under the common law. The transfer was not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it and their information rights weren’t available to them.”

In all these cases, the warning signs were there, if only the people involved had been willing to listen. The same will happen again – because the privacy geeks know what they’re doing. All too often those involved in these kinds of projects – people from businesses and from big public sector organisations – see those who raise concerns as either easily-dismissed tinfoil-hat-wearing consipiracy theorists, or as people who can cause a little trouble on Twitter but little more than that. Nothing to be taken seriously, little more than an annoyance. More, they’re seen as barriers to innovation, people just raising trouble for its own sake, luddites or worse.

None of this is true. Firstly, the people involved – whether they’re journalists, academics or ‘activists’ (and often they wear more than one of those hats) are often genuine experts. Hal Hodson’s degree from Trinity College Dublin is in Astrophysics, for example, whilst Julia Powles has a PhD in Law from Cambridge. Their concerns aren’t foolish, the issues they raise aren’t just for the sake of it.

Secondly, they know how to use the media – both the social media and the ‘traditional’ media. Hal’s original work was in the New Scientist, and he’s now The Economist’s Technology Correspondent. Julia writes regularly for the Guardian. Both know people all over the media and academia – and they’re far from alone. The failure of care.data and Samaritans Radar involved different people (there are many of us) but similar patterns – blogs, articles in the mainstream media, academic attention and more.

Thirdly, and perhaps most importantly, the people involved are far from a barrier to innovation. I have labelled them (and I’m very much one of them!) ‘geeks’ for a reason. We’re not geeks only about privacy – we’re real geeks. We like technology, we like innovation. We play with all the new technological toys, and see the potential in all kinds of directions – but we want these innovations to work for the people, to work responsibly, to be sustainable. Indeed, this last point is critical – it is a central tenet of much of my own academic work that if privacy is not considered properly, it is not just that a project should fail, but that it will fail. People will reject it – who now remembers the wonderful Google Glass, for example? Despite the sexy technology and the backing of Google’s deep pockets it died a death. It may well re-emerge at some point, but it need not have failed…

…and the same is true of many other projects. There are some great ideas, great innovations, that could avoid suffering the fate of Samaritans Radar, care.data and Google Glass. If they are to do so, the people involved should start listening to the privacy geeks, and sooner rather than later. Don’t see us as the enemy. Don’t try to hide what you do – it is very tempting to do everything you can ‘under the radar’, but when it is revealed it looks even worse. That was true of DeepMind’s deal with the Royal Free – and was just as true about Phorm’s ‘secret trials’ with BT and others back in 2006. One thing that people really should have learned is that these things do get discovered, one way or another. When they do, and it looks as though they’ve been done secretly or without proper scrutiny, they look even worse than they are.

It can all be avoided – but it rarely is. Sadly I expect to have to write similar pieces to this many times in the future.